TIMBER-V: Tag-Isolated Memory Bringing Fine-grained Enclaves to RISC-V Samuel Weiser∗, Mario Werner∗, Ferdinand Brassery, Maja Malenko∗, Stefan Mangard∗, Ahmad-Reza Sadeghiy ∗ Graz University of Technology: fsamuel.weiser, mario.werner, [email protected], [email protected] y TU Darmstadt: [email protected], [email protected]. Abstract—Embedded computing devices are used on a large resource-constrained devices often suffer from poor memory scale in the emerging internet of things (IoT). However, their utilization due to memory fragmentation and inefficient isola- wide deployment raises the incentive for attackers to target these tion mechanisms. A tighter integration of trusted memory in devices, as demonstrated by several recent attacks. As IoT devices the limited physical address space would demand fine-grained are built for long service life, means are required to protect sen- isolation boundaries, which existing schemes either do not pro- sitive code in the presence of potential vulnerabilities, which might vide at all, or provide only at the expense of high management be discovered long after deployment. Tagged memory has been proposed as a mechanism to enforce various fine-grained security overhead. Also, more flexible isolation mechanisms are impor- policies at runtime. However, none of the existing tagged memory tant for dynamically managing trusted memory. A technique schemes provides efficient and flexible compartmentalization in that has the potential to offer fine-grained and flexible isolation terms of isolated execution environments. boundaries is tagged memory. Tagged memory transparently associates blocks of memory with additional metadata. It has We present TIMBER-V, a new tagged memory architecture been used for dynamic information flow tracking [48] as featuring flexible and efficient isolation of code and data on small well as access control [53], and is still an active subject of embedded systems. We overcome several limitations of previous schemes. We augment tag isolation with a memory protection research [31,45]. While tagged memory has been shown to unit to isolate individual processes, while maintaining low mem- support a variety of security policies like protection of control ory overhead. TIMBER-V significantly reduces the problem of data [14], pointers [18] or capabilities [52], strong, efficient memory fragmentation, and improves dynamic reuse of untrusted and flexible isolated execution is still an open problem for memory across security boundaries. TIMBER-V enables novel small embedded systems. In particular, data flow isolation [45] sharing of execution stacks across different security domains, cannot provide strong isolation since tags can be destructively in addition to interleaved heaps. TIMBER-V is compatible to written by untrusted software. Other existing solutions are not existing code, supports real-time constraints and is open source. appropriate for low-end embedded devices due to their memory We show the efficiency of TIMBER-V by evaluating our proof- overhead stemming from large tags [54] or fully programmable of-concept implementation on the RISC-V simulator. but expensive tag engines [11,17,19,49]. Hence, currently no existing tagged memory schemes supports efficient isolated I. INTRODUCTION execution on small embedded devices. With ongoing advances in miniaturization and energy ef- In this work, we propose TIMBER-V, a tagged memory ficiency, computing devices are rapidly penetrating everyday architecture which brings efficient isolated execution in form life. Due to long service life, security of such devices becomes of enclaves to low-end devices. Since isolated execution is decisive. In in the recent past, we have been witnessing attacks still not well researched for low-end RISC-V processors, we on millions of cameras and routers [39], cars [38], cardiac prototype TIMBER-V on the open RISC-V architecture via devices [35] and light bulbs [41], to name a few. The high a hardware-software co-design. On the hardware side, we code complexity of these devices fosters programming bugs, achieve fine-grained in-process isolation with only two tag making their exploitation only a matter of time. This atten- bits. Moreover, we combine tagged memory with a memory uates potential IoT use cases since a compromise could have protection unit (MPU) to support an arbitrary number of immediate monetary, legal or privacy consequences [26]. Also, processes while avoiding the overhead of large tags [54]. the protection of intellectual property (IP) in a highly diverse On the software side, we enforce isolated execution via a market like the IoT, which integrates code from multiple small trust manager, called TagRoot. We isolate privileged vendors, requires strong security guarantees. from unprivileged security domains, supporting both, Intel SGX enclaves [37] and the TrustZone [3] programming model, Isolated execution protects sensitive code and data on however, with much finer isolation granularity and more ef- devices with compromised or untrusted software, and has been ficient memory utilization. This has several advantages. On proposed for different systems, with and without virtual mem- the one hand, data locality can be maintained by interleav- ory [2,3,7,9,10,13,21,22,25,28,34,37,40,47]. Especially small ing trusted and untrusted memory, thus minimizing memory fragmentation. On the other hand, TIMBER-V uses a tag update policy which allows highly flexible dynamic memory Network and Distributed Systems Security (NDSS) Symposium 2019 management of trusted data. Dynamic memory support has 24-27 February 2019, San Diego, CA, USA ISBN 1-891562-55-X been announced for the upcoming Intel SGXv2 which involves https://dx.doi.org/10.14722/ndss.2019.23068 costly interaction with the operating system [29]. In contrast, www.ndss-symposium.org TIMBER-V enclaves can instantaneously claim memory by using a single instruction. To demonstrate these advantages, monitor handler to switch worlds. ARM TrustZone-M [3] we show heap interleaving and a novel stack interleaving integrates the TrustZone concept into smaller Cortex-M pro- scheme. That is, we use a single heap and stack across different cessors. Non-secure applications can call secure applications security domains while maintaining strong isolation. Moreover, through multiple designated entry points, specified via non- we demonstrate highly efficient inter-enclave communication secure callable regions. over secure shared memory. We support real-time constraints by making all trusted software interruptible. We implement and The central concept of Intel SGX [37] is a hardware- benchmark TIMBER-V on the RISC-V Spike simulator, allow- isolated container, called an enclave, in which sensitive parts ing an evaluation under different CPU models which highlights of an application are placed. Unlike TrustZone, an enclave characteristics of TIMBER-V rather than CPU implementation directly resides in the address space of a user process. SGX specifics. We show that the runtime overhead of TIMBER-V does not rely on any privileged software (trusted kernel, is 25.2% for naive implementations while tag caching reduces hypervisor, etc.) to isolate enclaves, thus reducing the TCB the overhead to 2.6%. to only the CPU and enclaves themselves. However, SGX’s management instructions involve pretty complex microcode. In summary, our main contributions are: RISC-V. RISC-V [50] is an open and extensible instruction • We propose TIMBER-V, the first efficient tagged memory set architecture and defines three privilege modes [51], namely architecture for isolated execution on low-end processors machine-mode (M), supervisor-mode (S), and user-mode (U). • We present a novel concept called stack interleaving that M-mode has the highest privileges and is used for emulating allows for efficient and dynamic memory management missing hardware features. S-mode and U-mode are meant to • We propose lightweight shared memory between enclaves run an operating system and user applications, respectively. • We propose an efficient shared MPU design • We extensively evaluated our proof-of-concept implemen- Tagged Memory. The idea behind tagged memory is to extend tation1 on the RISC-V simulator for different CPU models each memory word with additional bits that store metadata. The general tagged architecture concept is very old and can already be found in numerous early computer designs [23]. II. BACKGROUND There, tag bits were, for example, used for debugging as well This section gives background information about related as for dynamically tracking the numeric type of data words. security architectures, RISC-V and tagged memory. Recent commercially available computer architectures hardly support hardware-based tagged memory. Schemes that asso- Security Architectures. Process isolation is a fundamental ciate memory with metadata, like for example dynamic analy- security concept which combines hardware and software tech- sis tools [43,44,46], rely on software-based solutions instead. niques to isolate the memory of processes from each other. It However, recent research on tagged-memory architectures in is usually enforced by the operating system taking advantage the system security context [8,19,45] hints that re-establishing of processor’s privilege modes. Large systems isolate pro- hardware-support can considerably improve security. cesses in separate virtual address spaces with the help of a memory management unit (MMU), while resource-constrained devices use a memory protection